Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT.AGENT/GEN-DNSHACK


  • This topic is locked This topic is locked
30 replies to this topic

#1 coprimadonna

coprimadonna

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 03 January 2010 - 09:55 PM

Hello, I have a rootkit problem. It's called ROOTKIT.AGENT/GEN-DNSHACK. MBAM did not catch it, but SAS does. It says that it quarantines it, but it always rears its ugly head every time I reboot. Computer is running horribly slow and locks up all the time. Also, Trend Micro OfficeScan found TSPY_SINOWAL.SMM. Again, it says that it cleaned and quarantined... to no avail. I have all kinds of logs that I'd be happy to post, but didn't find the Upload button here. Thought I'd wait for someone to tell me what to do.

Thoughts, please? Thank you so much!

BC AdBot (Login to Remove)

 


#2 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 03 January 2010 - 10:36 PM

Could somebody please tell me what I'm doing wrong? I've had over 10 hits and no responces. Do I need different verbage? Post a log? I need help and don't know what else to do...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 03 January 2010 - 10:37 PM

Hello and welcome. let's run these next .
I am removing your HJT topic as it has no HJT log . If needed we will go there.

Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 03 January 2010 - 10:41 PM

Ahhh... Boopme... you've saved me before. Thank you so much for responding! Running MBAM now. Be back in a few.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 03 January 2010 - 10:48 PM

You're welcome.. FYI.. all those bumps makes it appear that you have replies from a helper. Hence you extended your own wait time.
Will wait the log . Nice to see you again,except it's always with malware :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 03 January 2010 - 11:01 PM

Ha! I never thought of bumping not helping...doh! You are the best! Here is the MBAM log, but it's nothing too exciting. Now for rootrepeal.
Malwarebytes' Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2010 8:57:26 PM
mbam-log-2010-01-03 (20-57-26).txt

Scan type: Quick Scan
Objects scanned: 132456
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 03 January 2010 - 11:05 PM

Here is RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/03 21:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xB297D000 Size: 851968 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xACD76000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x89003e00

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89004fa0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x89003300

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x890035c0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89004c60

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x89004380

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x89004640

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x89004e00

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89003880

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89005140

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x890040c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SAS\SASKUTIL.sys" at address 0xb2af10b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89004ac0

Stealth Objects
-------------------
Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89935588 Size: 2680

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x89005720

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x89005540

==EOF==

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 03 January 2010 - 11:46 PM

Ok I don't see ot there.
Are your Super and Trend Micro fully updated as TM reports here it removes it.

http://matcha139.hiemalis.org/~isamik/ptn/JPN/6.739.80.txt

Have you run both the SAS and TM scans from Safe mode?

BTW there is no upload. One must copy/paste.

If all that is so the we will run DrWeb ... I'll be leaving now till the morning (NYC,USA)


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 04 January 2010 - 12:21 AM

Boop,
Yes, everything is updated. I, too, am signing off for the night, but will leave you with this - MBAM doesn't catch it for some reason, but here is yesterday's scan on SAS (from Safe Mode):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2010 at 10:22 PM

Application Version : 4.32.1000

Core Rules Database Version : 4379
Trace Rules Database Version: 2263

Scan type : Complete Scan
Total Scan Time : 00:33:41

Memory items scanned : 309
Memory threats detected : 0
Registry items scanned : 6871
Registry threats detected : 0
File items scanned : 34405
File threats detected : 6

Rootkit.Agent/Gen-DNSHack
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP172\A0032444.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP173\A0034462.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0038506.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0039622.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP176\A0042623.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP176\A0042624.EXE
_______________________________________________________________________________________________

And here is TM:

Last malware/virus found (on 01/02/10):
TSPY_SINOWAL.SMM from C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP172\A0033073.dll

_______________________________________________________________________________________________

Upon trying to install DrWeb (and I'm flattered that you think I understand Russian -lol), I received the following message:
The archive is either in unknown format or damaged.

So I will research another way to install this... but will wait to run anything until after you've had your morning cup o' joe. :-)

Sweet dreams! :thumbsup:

Edited by coprimadonna, 04 January 2010 - 12:26 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 04 January 2010 - 11:46 AM

Good morning or should it be Доброе утро :thumbsup: sorry there is a glitch with the DR...
Any way I think I see the only problem you have.. Malware surviving in system restore is reappearing. We will empty that and then scan again and see.


You should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 04 January 2010 - 01:31 PM

Thanks, Boop.
Just completed all the steps and everything seems to be working well. I'll keep working on it and let you know if we need more help! You are the BEST... thank you SOOO much! :thumbsup:

Edited by coprimadonna, 04 January 2010 - 01:31 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 04 January 2010 - 02:17 PM

Great!! copri... They should not show again in your scans.. Thanks... have a great day!

Boop
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 04 January 2010 - 03:04 PM

Whoops!!!! Actually... hold it right there, Boop! :thumbsup:

I'm locked up again. RAR! I'm having similar problems as before. Perhaps there's something else going on here... but whenever I have several apps open (i.e.: Internet Explorer, MS Word and MS Excel, etc...) it realllly seems to get angry. That's when it just completely locks up and I have to do a hard shut down. And it's still really slow. There's plenty of disk space, so not sure what else it could be... hmm...

I'm running SAS again in safe mode. Should I try to get DRWEB up and running?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:12 PM

Posted 04 January 2010 - 03:24 PM

Screeech :flowers:

Rats!! What are you up to :thumbsup:

Yes try the DrWeb...
Then this antirootkit
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:12:12 PM

Posted 04 January 2010 - 04:00 PM

Boop,
I really wish I had something exciting to say in response to "what are you up to"...lol. SAS came up with only a few cookies this time.
Drweb still doesn't like me for some reason... he just doesn't want to move in. (btw: there's a drop down list in the upper right hand corner of the russian webpage. English is one of the choices.) Sophos DOES want to be my friend, however, and is busy, busy, busy. Will post its log in a few.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users